A huge glitch on DeFi platform Compound has put $160 million at risk - with the founder begging for the money to be returned

Advertisement
A huge glitch on DeFi platform Compound has put $160 million at risk - with the founder begging for the money to be returned
Bitcoin mining is viewed at BitFarms in Saint Hyacinthe, Quebe LARS HAGBERG/AFP via Getty Images
  • A botched upgrade by a DeFi platform has left around $160 million at risk, according to the network's founder.
  • Robert Lescher was imploring users to return any crypto they were sent, or had claimed, after the error.
  • Users exploited a bug on the Compound DeFi platform to drain money from a major pool of assets.
Advertisement

It was a very rough weekend for Compound, one of the biggest decentralized finance platforms in the world.

A routine network upgrade went badly wrong, ultimately leaving $160 million worth of cryptocurrency at risk in a pool that can be drained by experts who know how to exploit the mistake, according to Compound founder Robert Lescher.

Over the weekend, Lescher was imploring users to return any cryptocurrency they may have received or claimed from the pool. He said more than $30 million had been returned on Sunday.

On Thursday, about $90 million worth of tokens was sent out to users of DeFi protocol Compound by mistake. An upgrade had gone wrong and a glitch was accidentally sending way too much money from a pool of cash called Comptroller.

But Compound's woes intensified on Sunday when users realized they could exploit the glitch to drain even more money from Compound's reservoir to the Comptroller pool.

Advertisement

A user took advantage of the bug to send $69 million worth of Compound's cryptocurrency, comp, to Comptroller. Some users were then able to withdraw huge amounts of money from the pool.

Lescher tweeted on Sunday that 490,000 comp was at risk, worth around $160 million. Comp was down 6.1% to $318.22 on Monday, according to Coingecko.

Users exploit major Compound glitch

After Thursday's mess-up, Compound put in place patches to fix the problem of huge amounts of coins being sent to users. But because of its governance model, any changes take seven days to go through the system.

The delay meant the glitch could be exploited. Savvy users could add more money to the Comptroller pool by using a function called "drip()."

Advertisement

One user figured this out on Sunday night, sending $68.8 million of comp to the pool. After the Compound community realized, users started withdrawing tens of millions from Comptroller. The Block reported that only certain users can drain the pool.

Data from blockchain data page Etherscan appeared to show heavy activity in the Comptroller pool on Sunday night and into Monday, with money dripping in and flowing out. There was $43.4 million in the pool as of Monday.

Crypto expert Banteg said on Twitter that Compound faced the largest loss in a smart contract incident.

Read more: Alex Thorn went from being Fidelity's 'bitcoin viking' to leading Galaxy Digital's research team. He explains why investors shouldn't ignore the lightning network - and which networks are the most undervalued right now

Compound boss left begging for money back

Advertisement

Lescher's initial response to the botched upgrade on Thursday was to threaten those who had been sent too much money, saying users would be reported to the IRS and their details shared online.

He later apologized, saying the threat was a "bone-headed" approach. "I'm trying to do anything I can to help the community get some of its COMP back," he said.

Over the weekend, Lescher was thanking users who had returned the money and stepped up his calls for the rest to be returned. Lescher said 117,000 comp, worth around $37 million, had been returned by Sunday.

Compound is one of the biggest decentralized finance protocols in the world, and allows users to earn interest on their digital assets. DeFi is the use of crypto technology to create financial systems such as exchanges and lending agreements that don't need middlemen, but instead use self-executing "smart contracts."

{{}}